Popular Mobile Modems Plagued by Zero-Day Flaws

Researchers have conducted an analysis of popular mobile broadband modems and routers from various vendors and discovered that the devices are plagued by serious vulnerabilities that can be leveraged in malicious attacks.

The analysis was conducted by Positive Technologies, a company that provides compliance management, vulnerability assessment, and threat analysis solutions. Experts tested eight 3G/4G devices from Huawei, Gemtek, Quanta and ZTE, including ones running custom firmware installed by an Internet service provider.

According to the security firm, five of the tested modems and routers are vulnerable to remote code execution. Huawei is the only vendor that released firmware updates to address these vulnerabilities.

Experts determined that six of the verified devices lacked proper integrity protection, allowing attackers to make modifications to their firmware. The modems that offer the best protection against such attacks are designed to receive firmware updates only via the carrier’s network.

Five of the devices also lack cross-site request forgery (CSRF) protection, allowing attackers to remotely upload modified firmware and inject arbitrary code. Cross-site scripting (XSS) vulnerabilities have also been identified in four devices.

For malicious actors to exploit these vulnerabilities, they would first have to identify the model of the targeted modem or router. Positive Technologies has created a script that can be used for this purpose – the company said it managed to identify all modems using this method.

Once the targeted device is identified, the attacker can exploit RCE vulnerabilities or upload modified firmware for arbitrary code injection. Some of the analyzed modems used encryption to protect the firmware, but researchers demonstrated that the encryption can be cracked.

After gaining the ability to execute arbitrary code on a device, attackers can start intercepting data. Hackers can do this by changing the modem’s DNS settings or by configuring the device to connect to an attacker-controlled access point after determining the victim’s location based on the base station identifier or by scanning nearby Wi-Fi networks. HTTPS data can also be intercepted by adding a rogue certificate to the Trusted Root Certification Authorities store and conducting man-in-the-middle (MitM) attacks.

In the case of modems with SMS support, researchers showed that attackers can read and send SMS messages. SIM card cloning and 2G traffic interception are also possible, experts noted.

Positive Technologies says attackers can also use their access to a modem to infect the PC it’s connected to, allowing them to steal and intercept data. Furthermore, having access to both the modem and the computer can be leveraged to achieve persistence.

Experts believe these vulnerabilities can be exploited to create an extensive surveillance network.

“All in all, we have a full infection cycle of devices and related PCs. Using the infected devices, we can determine location, intercept and send SMS messages and USSD requests, read HTTP and HTTPS traffic (by replacing SSL certificates), attack SIM cards via binary SMS messages, and intercept 2G traffic,” Positive Technologies wrote in a blog post. “Further infection can continue through the operator's networks, popular websites or equipment infected by worms (when connecting a new device).”

Data collected by Positive Technologies over a one-week period in early 2015 showed that there had been thousands of vulnerable devices visible on the Web. Three months after the vulnerabilities were reported to vendors, many of the security holes remained unfixed, researchers said.

The security firm says Huawei modems running the latest firmware version are the most secure against attacks.

Last year, Positive Technologies’ SCADA Strangelove team conducted an analysis of cellular communications equipment which, as researchers pointed out at the time, is also integrated into industrial control systems (ICS).